I'm wondering if there have been any recent advances (say, the past 5-10 years) in human usability for cryptography and/or authentication?

By that I mean something that makes it easier for an average person to make use of the benefits of cryptography. It strikes me that although we have all these great algorithms for encryption and hashing, and they have widespread use in machine-to-machine communication, it's still hard for us humans to use cryptography, because there's an impedance-mismatch between these methods and the way most people's brains work.

(The only one I can think of is OpenID or things like it, namely a way of decoupling the authentication process from the point-of-use without compromising security, so that one authentication method can be used for many end uses.)

I'm also wondering why the allegedly secure websites (financial/healthcare) that I use, still use password access and still have "security questions" in case I forget my password, where the security questions aren't very secure.

Cryptography is being a lot of places already and people might just know about it. For example, whenever you access an HTTPS page, that's cryptography protecting you.

For desktop applications, many people use the Truecrypt application to protect their files. You also see a similar application in Windows BitLocker.

As for why more people aren't using cryptography applications, I would suggest is that most people simply don't care nor realize they are at risk. Many people believe, "Why would anyone bother attacking me?" and so fail to protect themselves.

Security will always be secondary to performance, since if an application is not a good performer, no one will use it. As such, security is usually not only secondary, but sometimes even absent.

I'm also wondering why the allegedly secure websites (financial/healthcare) that I use, still use password access and still have "security questions" in case I forget my password, where the security questions aren't very secure.

There are more secure schemes, however they cost money. Using the "security questions" makes it look like things are being done without doing them.

The 3 main food-groups of authentication are:

something you know (passwords and the so-called "security questions").

The tokens cost several dollars apiece, so banks won't spend the money unless the government holds a gun to their head. Although banks in Nordic countries have come up with a very cost effective alternative - mailing cards with scratch-off areas and under each scratch-off area is a unique number to use when logging in.

In the US, financial institutions use passwords along with the "security question" scheme because regulatory agencies claim that is good enough. Due to regulatory capture, this security problem cannot be fixed in the US.

From e-mail to cellular communications, from secure Web access to digital cash, cryptography is an essential part of today's information systems. Cryptography helps provide accountability, fairness, accuracy, and confidentiality.

Cryptography can prevent fraud in electronic commerce and assure the validity of financial transactions. It can prove your identity or protect your anonymity. It can keep vandals from altering your Web page and prevent industrial competitors from reading your confidential documents. And in the future, as commerce and communications continue to move to computer networks, cryptography will become more and more vital.

For something-you-know authentication, one way of bridging the human side of 'remembering' with stronger cryptography is with a deterministic algorithm that generates a public key pair from that secret. We defined one such scheme for a platform product as a means of authentication.

The trade-off is the user must be willing to remember one very complex and entirely random password, in the range of 16 characters (to protect against brute-force key attacks). However, once that investment has been made, different identities are easily generated by making slight variations to the input secret.

There are a number of advantages to such an approach, e.g. passwords are never transmitted nor stored on servers which eliminates certain types of attacks, and also a user can authenticate herself across multiple domains without relying on any centralized identity managers.

Below is a simple python code example which generates a 1024-bit RSA identity from a set of input parameters (requires Versile Python):